According to The Sun, hackers are tricking users into giving their credentials by using Google Gemini, the company’s built-in AI tool.
What do experts say
According to cybersecurity experts, bad actors are sending emails with concealed instructions that cause Gemini to generate fake phishing warnings. These tricks deceive users into giving away personal account information or visiting harmful websites. The emails are typically crafted to seem urgent and sometimes appear to come from a business.
Hackers will construct these emails by setting the font size to zero and the text color to white before inserting prompts invisible to users but picked up by Gemini, The Sun reported.
GenAI bounty manager Marco Figueroa showed how a dangerous prompt could make users receive a false alert claiming their email account was compromised. These warnings would prompt victims to call a fake “Google support” phone number to resolve the issue.
Experts have given multiple recommendations to users to help them fight these prompt injection attacks by acting immediately. The first suggestion asks the companies to configure email clients to detect and neutralize hidden content in message bodies. This move can help counter hackers sending invisible text within emails.Security experts also advised users to use post-processing filters to scan inboxes for things like “urgent messages,” URLs, or phone numbers. This step can strengthen defenses against threats.
How did the scam come to light
The scam came to light following research led by Mozilla’s 0Din security team, which showed proof of one of the hostile attacks last week. The report explained how hackers tricked Gemini into displaying a fake security alert. It warned users their password had been stolen, but the message was fake and designed to steal their information. The trick works by hiding a secret size-zero font prompt in white text that matches the email background.
So when someone clicks “summarize this email” using Gemini, the tool reads the hidden message, not just the visible bit. This type of manipulation is called “indirect prompt injection,” and it takes advantage of AI’s inability to tell the difference between a user’s question and a hacker’s embedded message.
AI can’t distinguish between the two, since both simply look like text, and it will usually follow whichever appears first, even if it’s malicious. Since Google has yet to patch this way of scamming victims, hackers can still exploit this technique. Sneaking in commands that the AI might follow will remain an effective way to leak sensitive data until users are properly protected from the threat.
AI is also integrated into Google Docs, Calendar, and third-party apps, increasing the potential risk. Google has reminded users during this scamming crisis that it does not send security alerts through Gemini summaries.
